On 19 May 2009, at 13:35, Suzanne Woolf wrote:
This is going to be a very useful document, two high-level points:
Thanks
This raises a question that we have discussed amongst ourselves,
namely
the terminology "KSK" and "ZSK". Conceptually it is simple, in
that a ZSK
signs the records in the zone, and a KSK signs the DNSKEY RRset and
is
pointed to by a DS/configured as a trust anchor. But as you say,
ZSKs can
be pointed to by a DS and used as trust anchors. And theoretically
you
could have multiple ZSKs, each of which signs just some of the
records in
the zone (a partial-zone signing key?).
Please don't change this. Making finer distinctions in one document,
clearly defined, is one thing. But please don't try to change
terminology we're finally starting to get people to use; it's been
(and continues to be) hard enough to get them to stop talking about
one key and the singular act of signing.
This was kind of my idea - so maybe I can explain my thinking a bit. I
am wondering if this document should restrict itself purely to
considering keys and say nothing about what is signed by those keys.
Therefore, it would not use the KSK and ZSK terminology.
You could have keys with the following set of properties:
- how they are rolled (pre-publish or double key)
- the SEP bit on or off
- bit 7 (zone key bit always set)
- bit 8 revoked bit
- protocol == 3
- an algorithm
- a size
- is this key intended to be pointed to by a DS RR?
- is the zone operator doing RFC5011?
Some of these properties impact on, or are altered by, timing
considerations.
Some combinations of these properties make useful keys and it may well
be best practice to use them to sign particular RRSets. However, I
wonder if this draft is the place to comment on that issue - would it
be better in a BCP. This draft could just consider the timing
considerations for keys with particular (anticipated to be useful)
sets of properties and be pointed to by a BCP which says which
properties a good KSK, ZSK or anotherSK should have and what RRSets
they actually sign.
John
---
John Dickinson
http://www.jadickinson.co.uk
I am riding from Lands end to John O'Groats to raise money for
Parkinson's Disease Research. Please sponsor me here http://justgiving.com/pedalforparkinsons2009
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
